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Web application has become an essential part of daily activities to provide 
easy accessibility that ensures better performance. It is a platform where 
sensitive information such as username, password, credit card details, 
operating system and software version. is stored that attracts intruders to 
generate most of their attacks. Intruders can steal valuable data by 


compromising web application security flaws; cross site scripting (XSS) 


vulnerability is one of these. Several studies have been conducted in order to 
prevent the XSS vulnerability. In this research, we searched Scopus Indexed 
articles published in the last 11 years (between 2008 and 2020) using two 
keywords (“XSS attack prevention” and “XSS prevention”). The purpose of 
this study was to conduct a literature review on XSS prevention techniques 
e.g., strengths and weaknesses, including structural issues and real-time 
deployment location in order to extract valuable information. This review 
identified 14 articles among the 25 selected articles that provided various 
suitable prevention techniques for XSS attacks. Seven articles are based on 
tools that have been implemented and take into account design, coding, 
testing, and integrating validation processes, six articles are about server site 
solutions, and one is about automatic mitigation solutions. As a result, this 
research will be invaluable in guiding the advancement of XSS prevention 
techniques. 
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1. INTRODUCTION 

Web applications are a mandatory requirement for businesses, organizations, and customer-behavior 
solutions in order to provide easy access and improved performance to their target users in modern life. 
Security is a major concern in web applications since they contain personal data and information about 
people. The most common web application vulnerabilities, as per the open web application security project 
(OWASP) are injection, broken authentication and session management, cross-site scripting (XSS), broken 
access control, security misconfiguration, sensitive data exposure [1]. XSS is a client-side code injection 
attack that allows an attacker to execute malicious JavaScript in the browser of another user by injecting 
vulnerable web application pages. When a random user visits the compromised page, the page will deliver 
the malicious script into the victim's browser and execute it. Three types of XSS attacks and their removal 
techniques are; (i) an attacker injects a malicious script which is permanently stored on the targeted database 
server—stored XSS vulnerability; (ii) users also inject XSS attacks via phishing emails and other websites 
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when they get a request from a crafted link, after clicking these links the injected code reflects the attack to 
the user’s browser — reflected XSS attacks or XSS Type-I attack; (iii) document object model (DOM) based 
XSS simply means an XSS vulnerability that appears in the DOM instead of the HTML part which occurs 
when a page is managing an action or performing any specific transactions [2]-[5]. 

XSS attacks should be intensely managed for security purposes. During the research, we observed 
that the majority of the proposed models and implemented tools or techniques are intended to identify and 
prevent only one or two types of XSS vulnerabilities. It should be noted that while these tools can prevent 
XSS vulnerabilities, they face obstacles in reducing the attack rate. Therefore, the goal of the study was to 
assist users in gaining an independent understanding of the existing XSS vulnerability prevention 
mechanisms as well as their strengths and weaknesses. This article also discussed the deployment location of 
the XSS vulnerability in web applications. 

The remainder of this paper is laid out as; section 2 implies some relevant research works; section 3 
provides details of the methods of this research. Result, evaluation, and discussion are outlined in section 4. 
And finally, the paper is wrapped up in section 5. 


2. RELEVANT RESEARCH WORKS 

Tariq et al. [6] proposed utilizing genetic algorithm (GA) in conjunction with threat intelligence and 
reinforcement learning (RL) to defeat XSS attacks, with the results being not only more flexible to changes in 
XSS payloads, but also more understandable to end-users. Rao et al. [7] examined XSS and its taxonomy 
including XSS attack devices, as well as analysis and prevention of XSS forgeries. Kumar et al. [8] suggested 
a unique method called obfuscation to safeguard online applications from SQL injection attacks, XSS attacks, 
and reverse engineering attacks. A comprehensive analysis of XSS exploitation as well as existing detection 
and prevention mechanisms are discussed in [9]. Stency and Mohanasundaram [10] compared XSS attack 
detection techniques in terms of algorithm simplicity, algorithm type, and performance metrics. Vital data on 
the operations of machine learning (ML), predictive analytics, and the development of the significant web 
that properly evaluates and eliminates SQL injection attack (SQLIA) with experiential value demonstrated in 
the receiver operating curve and Confusion matrix was provided in [11]. 

The goal of the work Gogoi et al. [12] was to measure the efficiency of various ML algorithms in 
identifying XSS attacks in web apps and websites, as well as to utilize ML to detect XSS attacks through 
various ML methods. Kumar et al. [13] described a multi-layer prevention approach in which the attacker is 
defended at the API key authentication level using an encryption technique that prohibits the attacker from 
gaining direct access to the API. Google's secure-by-design engineering approach was proposed in [14] 
which successfully avoids DOM-based XSS vulnerabilities in large-scale web development. Ivanova and 
Rozeva [15] proposed an ML technique for detecting stored XSS attacks and defending a representational 
state transfer (REST) web service written in JAVA, which was evaluated in a specifically designed test-bed 
simulation environment that included the IntelliJ IDEA environment, Postman, and a web browser. A secure 
framework that may be used to accomplish real-time detection and mitigation of XSS attacks in cloud-based 
web applications via deep learning (DL) at a high level of accuracy was presented in [16]. A solution 
integrating three techniques to determine the most difficult attacking challenges is revealed in [17] by 
implementing Random Forest (RF), k-Nearest Neighbors (k-NN), logistic regression (LR), support vector 
machine (SVM) algorithms, content security policy (CSP) approach, web application firewall (WAF), 
intrusion detection and prevention system (IDS and IPS). Maurel et al. [18] investigated utilizing neural 
networks to identify XSS vulnerabilities utilizing static methods. 


3. METHOD 
3.1. Article search process 

We performed a methodical search strategy to find the publications that detail how XSS 
vulnerabilities in web applications are exploited. In our methodical search proceeding, we searched with two 
keywords from the Scopus Indexed databases to evaluate the article. We began by searching for publications 
published between 2008 and 2021 using the term “XSS attack prevention” and ”XSS prevention”. 


3.2. Article inclusion and exclusion criterion 

We employed a set of criteria to add and reject articles from the batch of articles discovered through 
Scopus indexing database search. Then we studied the title, abstract, methodology, and findings of each 
article to determine which ones to include and reject from the list of papers obtained by our systematic 
searching process and only articles that were utilized to avoid XSS attacks were considered. 
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3.3. Data extraction 

Each article was assessed based on the following key points: (i) performance comparison of 
different types of XSS attack, (ii) overview of three types of XSS vulnerability detection and prevention 
techniques, (iii) deployment location of XSS vulnerability in web applications. 


3.4. Defensive coding 

The defense code mechanism is performed in three stages as shown in Figure 1. The XSS prevention 
strategies were chosen first, followed by various XSS defense code techniques. Finally, injected locations 
have been identified using defense coding techniques. Figure 2 presents the categorization of defense coding 
mechanism. An updated methodology of XSS prevention for cloud platforms was given in [19] which first 
scans HTTP requests for embedded URI links that point to URLs of external JS files containing malicious 
XSS payloads. Exact taint tracking and coarse-grained both are implemented with JavaScript, and the 
researchers illustrate how the precise taint tracking API may be used to fight against XSS attacks and SQL 
injection [20]. Dembla et al. [21] offered a client-side solution using a knapsack cryptographic local proxy 
with encryption and decryption functionality to protect cookies against XSS attacks. This solution encrypts 
the cookie's value (session-ID) attribute at the cryptographic local proxy before delivering it to the browser, 
and then sends the encrypted cookie's requests to the cryptographic local proxy, which decrypts them and 
forwards them to the web server. A new approach to thwart XSS attacks was presented in [22] which is 
independent of the languages used to construct web apps and solves XSS vulnerabilities that originate from 
different interfaces. The approach is structured, configured, and constructed in .Net, XML, and XSD, then 
tested in a web application written in JSP/Servlets and deployed in the JavaBeans Open-Source Software 
(JBOSS) application server. It is determined to be effective since it allows for cross-language use with very 
little configuration to prevent XSS. A context-sensitive encoder is derived from context-free grammars in 
order to serve appropriate unparsing of potentially malicious input data for all context-free languages [23]. 
This unparsing process produces documents in which the input data has no effect on the structure of the 
document and has no effect on its intended semantics. 


XSS Prevention XSS Defense Coding 


Method Techniques Injection Location 


Figure 1. The architecture of defense coding mechanism 
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Figure 2. Categorization of defense coding mechanism 


Important factors to remember when constructing a cross-site scripting prevention ... (Md. Maruf Hassan) 


968 o ISSN: 2302-9285 


Wang et al. [24] proposed a dynamic detection framework (TT-XSS) for DOM-XSS using taint 
tracking at the client side which involved rewriting all JavaScript features and DOM APIs to taint browser 
rendering. To this purpose, additional data types and methods are introduced to enhance the original data 
structure's semantic description capabilities, based on which the taint traces were evaluated during page 
parsing by tainting all sources, sinks, and transfer processes. The Knuth-Morris-Pratt (KMP) string matching 
technique was used to compare the user's input string with the stored pattern of the injection string in order to 
detect any malicious code in [25]. Gupta et al. [26] offered a context-sensitive solution based on static taint 
analysis and pattern matching techniques, with an implemented prototype tool validated on a public data set 
of 9408 samples, to detect and remediate XSS vulnerabilities in web application source code. Guaman [27] 
offered a tool that allows testing and validation procedures to reduce vulnerabilities and make web 
applications secure using a REST architectural style, a design pattern facade, and Java EE from the aspect of 
design, development, and deployment. 

After studying these articles, we can conclude that a defensive coding mechanism is a type of 
defensive design that works in the event of a failure, especially when high availability, safety, or security are 
required. It aims to increase the overall quality of software and source code by making the source code 
accessible and by ensuring that the software performs appropriately in the face of unexpected inputs or user 
actions. 


4. RESULTS, EVALUATION AND DISCUSSION 
4.1. Search article results 

Figure 3 summarized the search results of the articles. Based on the phrase cross-site scripting 
attack, we discovered 81 publications published in renowned journals and conferences between January 2008 
and December 2021 using our systematic article search process. Then we scanned all of the articles in detail, 
identifying the most important points in each. We used two keywords to find the publications: “XSS Attack 
Prevention” and “XSS Prevention,” which yielded 10 and 15 articles, respectively. We next studied each 
article's title, abstract, keyword, and technique before selecting 14 publications for analysis from the Scopus 
Indexed Databases. As a result of this search, 14 publications were found that explored the XSS vulnerability 
prevention technique in web applications. 


Scopus Database 


Using keyword “Cross Site Scripting Attack" with condition 
“Journal, magazines, & conference publications" and year 
"2008-2021" 


Found Article = 81 


Using keyword "XSS Attack 
Prevention" within previous search 
result 


| 


Found Article = 10 


Using keyword "XSS Prevention" 
within previous search result 


| 


Found Article = 15 


Article excluded 


After reading title, abstract, keyword, & methodology 
based on XSS prevention context = 4 
Non-relevant subject = 3 
Total Excluded = 7 


i 


Include Article = 14 | 


Duplicate Article excluded = 0 
Because there is no same article 
found from the database 


Total included article for this review = 14 


Figure 3. The process of article searching 
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4.2. Descriptive analysis 

Table 1 summarizes the findings of the 14 articles on XSS attack prevention strategies. We 
discovered a method that can automatically insert borders and establish policies to mitigate the attacking 
probability of an XSS vulnerability [28]. To safeguard the web application from XSS attacks, an execution 
flow analyzer has been built that can emulate client program behavior [29]. A browser proxy has been 
designed to secure the security of sensitive data using an information flow approach [30]. A server-side 
approach has been implemented in some research that limits user input from untrusted sites, removes the no- 
output script, and readily accommodates complicated attacks [31]-[35]. Several researchers have produced 
some technologies that can reduce XSS attacks from online applications by taking into account design, 


coding, testing, and incorporating validation [26], [2 


7], [36]-[38]. 


Table 1. XSS attack prevention technology summary 


Authors Tools Strength Weakness 
Gupta et al. [26] XSSDM XSS vulnerabilities are precisely detected It is necessary to improve support 
and mitigated using taint analysis and for the object-oriented paradigm 
pattern matching techniques 
Guamán et al. [27] RESTful WS To reduce flaws and strengthen the security Security and software development 


Shahriar and 
Zulkernine [28] 
Chen et al. [29] 

Xiao et al. [30] 
Barhoom and Kohail 
[31] 

Bisht and 
Venkatakrishnan [32] 


Mewara et al. [33] 
Caliwag et al. [34] 


Maurya [35] 


Gupta and Gupta [36] 


V et al. [37] 


Saxena et al. [38] 


Wurzinger et al. [39] 


S2XS2 

An execution flow 
analyzer 
information flow 
server-side solution 


XSS-GUARD 


XSS-ME 
escaping technique 


'Positive Security Model' 


based ‘Server-side 
solution’ 
XSS-SAFE 


BIXSAN: browser 
independent XSS 
Sanitizer for prevention 
of XSS attacks 

FLAX: systematic 
discovery of client-side 


validation vulnerabilities 
in rich Web applications 


SWAP: mitigating XSS 
attacks using a reverse 
proxy 


of web applications through design, 
development, and deployment while taking 
testing and validation into account 

Create policies and dynamically insert 
borders 

Create the FSA in order to simulate the 
client program's actions 

The security of sensitive data is ensured by 
using JSTFlow as a browser proxy 
Prevent untrusted user input, modify the 
trusted code structure 

Define the server-side code and eliminate 
the no-output code 

Easy accommodation of complex attack 
Capable of preventing XSS attack on the 
created online inventory system by 
removing unnecessary data 

Allow safe tags from the blacklist to 
perform XSS with faster time processing 
when matching attack vectors 

Sanitization routines are injected into the 
JavaScript source code to detect and mitigate 
maliciously injected XSS attack vectors 
HTML parse tree producer is used to 
improve the inconsistency of web browser 
performance along with to recognize static 
script tags 

A lightweight tool in comparison to others, 
with no false positives and sufficient 
scalability 


Strong detection of differences between 
benign and injected javascript code 


standards should be set to ensure 
the system's integrity 


Time-consuming and low detection 
capability 

Need to modify the web source 
code 

There are restrictions to the sensitive 
data that has been detected 

Retrieve from the accessible 
network's server 

Do not forbid the permissible 
benign HTML 

Can detect and prevent only one attack 
XSS attack mitigation was the sole 
focus 


Attackers can circumvent the input 
sanitizer though it will be blocked 
later 

Only recognizes the link between 
stored and injected features in the 
JavaScript source code 

Unable to detect XSS of 
dynamically growing parsing 
quirks in the XSS cheat sheet as the 
method evaluated by referring to it 
The complexity of sanitization 
failures that persist in client-side 
javascript code has not been 
highlighted in FLAX testing 

Many types of XSS attacks are 
undetectable 


4.3. Evaluation based on the attack type 

As stated in Table 2, we investigated and evaluated each recommended strategy to see if it might be 
used to counteract a specific attack. We conducted an analytical evaluation based on our experience because 
we were unable to assess any of the methods in real-time practices due to the lack of implementation codes 
for most methods. Except for DOM-based XSS, we found five articles regarding tools developed for server- 
side XSS attacks that can detect stored and reflected XSS [26], [28], [33], [40], [41]. Four articles discussed 
how their implemented tool can only detect stored XSS in server-side web applications [31], [36], [42], [43]. 
Only reflected XSS can be detected by two studies that are deployed for server-side location [32, and 37]. 
Three studies highlighted how their tools can detect reflected and DOM XSS from server-side locations [25], 
[44], [45]. Five studies that are deployed for client-side location can only identify DOM XSS [24], [29], [30], 
[46], and [47]. A tool for detecting stored XSS in client-side web applications was developed in a study [38]. 
A study developed a client-side tool capable of detecting both stored and reflected XSS [39]. In a paper, 
techniques were created to detect stored XSS on cloud-based online applications [48]. A study developed a 
tool for detecting reflected XSS in client-side web applications [49]. 
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Table 2. Evaluation based on the attack type 


Authors Deployment location Stored XSS (persistent) Reflected XSS DOM XSS 

Wang et al. [24] Client-side N N Y 
Abikoye et al. [25] Server-side N Y Y 
Gupta et al. [26] server-side Y Y N 
Shahriar and Zulkernine [28] Server-side Y X, N 
Chen et al. [29] Client-side N N Y 
Xiao et al. [30] Client-side N N Y 
Barhoom and Kohail [31] Server-side Y N N 
Bisht and Venkatakrishnan [32] Server-side N Y N 
Mewara et al. [33] Server-side Y Y N 
Gupta and Gupta [36] server-side Y N N 
V et al. [37] server-side N Y N 
Saxena et al. [38] Client-side Y N N 
Wurzinger et al. [39] Client-side Y Y N 
Gupta and Gupta [40] Server-side Y Y N 
Gundy and chen [41] server-side Y Y N 
Agten et al. [42] server-side Y N N 
Shahriar and Zulkernine [43] server-side Y N N 
Shrivastava et al. [44] server-side N Y Y 
Cao et al. [45] server-side N Y Y 
Pan and Mao [46] Client-side N N Y 
Weinberger et al. [47] Client-side N N X, 
Gupta and Gupta [48] Cloud N Y Y 
Stamm et al. [49] Client-side N x: N 
xx “VY” indicates a method that can successfully stop an attack of that type and “N” indicates a method that cannot stop an 
attack of that type. 


4.4. Evaluation based on deployment 

Table 3 presents an analysis of each approach based on different deployment requirements. Three 
methods are highly resistant to attacks: cryptography, exception management, and parsing. Pattern matching, 
HTML escaping, JavaScript escaping, and ML are four techniques that are moderately resistant to attack, 
whereas the XML approach is not. 


Table 3. Evaluation based on deployment requirements 


Method URL Login Search Detect Prevent Modify code base Resistant to attack 
Cryptography N Y N N Y Y High 
Pattern matching Y Y Y Y Y N Medium 
XML approach Y Y Y N Y N Low 
Exception management Y Y Y Y Y N High 
HTML escaping Y N Y Y N N Medium 
JavaScript escaping Y Y Y Y Y N Medium 
Machine learning Y Y Y Y Y Y Medium 
Parsing Y Y Y Y Y Y High 


xx “Y” indicates the method can be deployed to that injection parameter and “N” indicates the method cannot be deployed to 
that injection parameter. 


5. CONCLUSION 

In this paper, we presented a case study on the prevention of XSS vulnerabilities in web 
applications. We classified various types of defense coding techniques based on XSS prevention methods. 
Furthermore, based on the deployed locations, we discussed the strengths, weaknesses, comparison, and 
evaluation of various types of XSS prevention techniques. The points raised during our discussion will be 
useful in making a decision about implementing XSS prevention tools to protect web applications from XSS 
vulnerability exploitation. Moreover, we have concentrated on research directions and challenges related to 
XSS prevention techniques. Although several techniques for preventing XSS attacks have been implemented, 
their usage for real-time deployment location and extraction of estimated useful information may still be 
endangered by the issue emphasized in this study. 
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